- 13 1月, 2012 1 次提交
-
-
由 Eric Dumazet 提交于
commit a9b3cd7f (rcu: convert uses of rcu_assign_pointer(x, NULL) to RCU_INIT_POINTER) did a lot of incorrect changes, since it did a complete conversion of rcu_assign_pointer(x, y) to RCU_INIT_POINTER(x, y). We miss needed barriers, even on x86, when y is not NULL. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> CC: Stephen Hemminger <shemminger@vyatta.com> CC: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 02 8月, 2011 1 次提交
-
-
由 Stephen Hemminger 提交于
When assigning a NULL value to an RCU protected pointer, no barrier is needed. The rcu_assign_pointer, used to handle that but will soon change to not handle the special case. Convert all rcu_assign_pointer of NULL value. //smpl @@ expression P; @@ - rcu_assign_pointer(P, NULL) + RCU_INIT_POINTER(P, NULL) // </smpl> Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Acked-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 5月, 2011 1 次提交
-
-
由 Lai Jiangshan 提交于
The rcu callback __nf_ct_ext_free_rcu() just calls a kfree(), so we use kfree_rcu() instead of the call_rcu(__nf_ct_ext_free_rcu). Signed-off-by: NLai Jiangshan <laijs@cn.fujitsu.com> Acked-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Reviewed-by: NJosh Triplett <josh@joshtriplett.org>
-
- 16 11月, 2010 1 次提交
-
-
由 Eric Dumazet 提交于
Use RCU helpers to reduce number of sparse warnings (CONFIG_SPARSE_RCU_POINTER=y), and adds lockdep checks. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 15 11月, 2010 1 次提交
-
-
由 Changli Gao 提交于
In function update_alloc_size(), sizeof(struct nf_ct_ext) is added twice wrongly. Signed-off-by: NChangli Gao <xiaosuo@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 23 9月, 2010 1 次提交
-
-
由 Eric Dumazet 提交于
As soon as rcu_read_unlock() is called, there is no guarantee current thread can safely derefence t pointer, rcu protected. Fix is to copy t->alloc_size in a temporary variable. Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Reviewed-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 20 8月, 2010 1 次提交
-
-
由 Arnd Bergmann 提交于
Signed-off-by: NArnd Bergmann <arnd@arndb.de> Signed-off-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: NPatrick McHardy <kaber@trash.net> Cc: "David S. Miller" <davem@davemloft.net> Cc: Eric Dumazet <eric.dumazet@gmail.com> Reviewed-by: NJosh Triplett <josh@joshtriplett.org>
-
- 02 8月, 2010 1 次提交
-
-
由 Changli Gao 提交于
some users of nf_ct_ext_exist() know ct->ext isn't NULL. For these users, the check for ct->ext isn't necessary, the function __nf_ct_ext_exist() can be used instead. the type of the return value of nf_ct_ext_exist() is changed to bool. Signed-off-by: NChangli Gao <xiaosuo@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 12 2月, 2010 1 次提交
-
-
由 Alexey Dobriyan 提交于
call_rcu() will unconditionally reinitialize RCU head anyway. Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Reviewed-by: NPaul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 25 6月, 2009 1 次提交
-
-
由 Jesper Dangaard Brouer 提交于
RCU barriers, rcu_barrier(), is inserted two places. In nf_conntrack_expect.c nf_conntrack_expect_fini() before the kmem_cache_destroy(). Firstly to make sure the callback to the nf_ct_expect_free_rcu() code is still around. Secondly because I'm unsure about the consequence of having in flight nf_ct_expect_free_rcu/kmem_cache_free() calls while doing a kmem_cache_destroy() slab destroy. And in nf_conntrack_extend.c nf_ct_extend_unregister(), inorder to wait for completion of callbacks to __nf_ct_ext_free_rcu(), which is invoked by __nf_ct_ext_add(). It might be more efficient to call rcu_barrier() in nf_conntrack_core.c nf_conntrack_cleanup_net(), but thats make it more difficult to read the code (as the callback code in located in nf_conntrack_extend.c). Signed-off-by: NJesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 27 7月, 2008 2 次提交
-
-
由 Patrick McHardy 提交于
As Linus points out, "ct->ext" and "new" are always equal, avoid unnecessary dereferences and use "new" directly. Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pekka Enberg 提交于
As suggested by Patrick McHardy, introduce a __krealloc() that doesn't free the original buffer to fix a double-free and use-after-free bug introduced by me in netfilter that uses RCU. Reported-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NPekka Enberg <penberg@cs.helsinki.fi> Tested-by: NDieter Ries <clip2@gmx.de> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 18 6月, 2008 1 次提交
-
-
由 Patrick McHardy 提交于
Fix three ct_extend/NAT extension related races: - When cleaning up the extension area and removing it from the bysource hash, the nat->ct pointer must not be set to NULL since it may still be used in a RCU read side - When replacing a NAT extension area in the bysource hash, the nat->ct pointer must be assigned before performing the replacement - When reallocating extension storage in ct_extend, the old memory must not be freed immediately since it may still be used by a RCU read side Possibly fixes https://bugzilla.redhat.com/show_bug.cgi?id=449315 and/or http://bugzilla.kernel.org/show_bug.cgi?id=10875Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 10 6月, 2008 1 次提交
-
-
由 Pekka Enberg 提交于
The ksize() API is going away because it is being abused and it doesn't even work consistenly across different allocators. Therefore, convert net/netfilter/nf_conntrack_extend.c to use krealloc(). Signed-off-by: NPekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 14 4月, 2008 1 次提交
-
-
由 Patrick McHardy 提交于
New extensions may only be added to unconfirmed conntracks to avoid races when reallocating the storage. Also change NF_CT_ASSERT to use WARN_ON to get backtraces. Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 11 3月, 2008 1 次提交
-
-
由 Pekka Enberg 提交于
There's a horrible slab abuse in net/netfilter/nf_conntrack_extend.c that can be replaced with a call to ksize(). Cc: Christoph Lameter <clameter@sgi.com> Signed-off-by: NPekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 2月, 2008 1 次提交
-
-
由 Patrick McHardy 提交于
The ->move operation has two bugs: - It is called with the same extension as source and destination, so it doesn't update the new extension. - The address of the old extension is calculated incorrectly, instead of (void *)ct->ext + ct->ext->offset[i] it uses ct->ext + ct->ext->offset[i]. Fixes a crash on x86_64 reported by Chuck Ebbert <cebbert@redhat.com> and Thomas Woerner <twoerner@redhat.com>. Tested-by: NThomas Woerner <twoerner@redhat.com> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 16 11月, 2007 1 次提交
-
-
由 Evgeniy Polyakov 提交于
Reported by Chuck Ebbert as: https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14 This routine is called each time hash should be replaced, nf_conn has extension list which contains pointers to connection tracking users (like nat, which is right now the only such user), so when replace takes place it should copy own extensions. Loop above checks for own extension, but tries to move higer-layer one, which can lead to above oops. Signed-off-by: NEvgeniy Polyakov <johnpol@2ka.mipt.ru> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 11 7月, 2007 1 次提交
-
-
由 Yasuyuki Kozakai 提交于
Old space allocator of conntrack had problems about extensibility. - It required slab cache per combination of extensions. - It expected what extensions would be assigned, but it was impossible to expect that completely, then we allocated bigger memory object than really required. - It needed to search helper twice due to lock issue. Now basic informations of a connection are stored in 'struct nf_conn'. And a storage for extension (helper, NAT) is allocated by kmalloc. Signed-off-by: NYasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-